1 / 14

Software Verification 1 Deductive Verification

Software Verification 1 Deductive Verification. Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik. Where are we?. Einführung Aussagenlogik Prädikatenlogik einfache Funktionskontrakte

mignon
Download Presentation

Software Verification 1 Deductive Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Verification 1Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

  2. Where are we? • Einführung • Aussagenlogik • Prädikatenlogik • einfache Funktionskontrakte • Schleifeninvarianten undTerminierung • Prädikate und logische Funktionen • Spezifikation von Datentypen • Parallele Programme, Deadlocks, Livelocks • Objektorientierte Programme

  3. Termination • Hoare-Tripel: {}  {}if  holds before the execution of , then  holds afterwards (1) ⊢ {Τ}skip{Τ} (skip) (2) ⊢ {Τ Τ}skip{Τ} (1, imp1) (3) ⊢ {Τ}while (Τ) skip{Τ } (2,whi) (4) ⊢ {Τ}while (Τ) skip{} (3, imp2) I.e., if T holds before the execution of while (Τ) skip, then  holds afterwards I.e., after the execution of while (Τ) skip anythingholds

  4. {T}  {}: if  terminates, then  holds afterwards • Hoare logic incapable of formulating statements about termination • Total correctness of  with respect to : • {T}  {} •  terminates • Notation    • Clearly, if contains no loops, then {}  {} implies    • How to prove termination of loops?

  5. Well-founded orders • A binary relation < is called a strict partial order iff it is • irreflexive: ¬ x<x • transitive: x<y  y<z  x<z • asymmetric: x<y  ¬ y<x • A partial order is called total order iff it is • total: xy (x<y  y<x) • A strict partial order is called well-founded iff • there is no infinite descending chain,i.e., no infinite set {x0, x1, x2, x3, ...} such that x0>x1>x2>x3 ... • equivalently, if every non-empty set S has a minimal element(i.e., S xS yx (x<y)) • A well-founded total order is called a well-order

  6. Well-orderings • natural numbers, < • integers - x<y iff |x|<|y| or |x|=|y| and x<y • pairs - ? • strings - ? • binary trees - ? • rational numbers - ? • real matrices - ? Counterexamples?

  7. Transfinite induction • Let (n) be any statement, where nM and < is a well-founded partial order on M If for all xM it holds that if (y) for all y<x, then (x) then (n) for all nM x ((y<x (y))  (x))  n (n)

  8. Proof x ((y<x (y))  (x))  n (n) • Assume for contradiction that x ((y<x (y))  (x)), i.e., x (¬(x)  (y<x ¬ (y)))and that x0¬(x0). • Then x1<x0 ¬(x1)) • Therefore x2<x1 ¬(x2)) etc. • Continuing, we get an infinite descending chain of elements, contradicting well-foundedness

  9. Special Cases • natural induction:(0)  x ((x))  (x+1))  n (n) • mathematical induction:Let M be finitely generated, i.e., there are constructor-functions f1,...,fn and M0M such that all xM canbewrittenas x=f(f(...(x0)..), whereeach f is a constructorfunctionand x0M0 • if (x0) for all x0M0and • ((x)  (f(x))) for all xMand all constructorfunctions f • then(x)for all xM

  10. Termination proofs • Let (M,<) be a well-founded order and (z) be a formula involving zM • if ⊢   (z0) for some z0M and ⊢ (z)b  (z’)  ¬b for some z’<z, then ⊢  while (b) ¬b • (z) is called variant of the loop

  11. Special case (Termination only) • if ⊢   (z) for some zM, and ⊢ (z) b  (z’) for some z’<z, and ⊢ ((z) ¬b  ), then ⊢  while (b)  • if ⊢ (z) for some zM and ⊢ (z)  (z’) ¬b for some z’<z then ⊢ T while (b) T

  12. Example proof • Show ⊢ a>=0 while (a>0) a--T • well-founded ordering: natural numbers (N0,<); (z) = (a==z) (z)=(floor(a)==z) • a>=0  (a==z) for some zN0a>=0  (floor(a)==z) for some zN0 • ⊢ a==z a-- a==z-1⊢ floor(a)==z a-- floor(a)==z-1 Would this proof hold for float a?

  13. Termination of gcd {a==m>0  b==n>0} while (a!=b) if (a>b) a=a-b else b=b-a {a==b==gcd(m,n)} We want to show that ⊢a==m>0  b==n>0  T Variant (z) = (z==a+b); wfo: N0 Show: ⊢ (z) if... (z’) for some z’<z Proof: let z’=z-min(a,b)

  14. A more intricate example = {b=1; while (a<=100 || b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; } Show: ⊢0<a<=100  a==91

More Related